The Backstory

So a couple of months ago I received a phone call from the Wells Fargo fraud protection service guys regarding some charges on my debit card. “No big deal,” I thought. I’ve had those calls before for one of my credit cards and they’re usually nothing. It just happens that one or two of your purchases seems to fall outside the computer generated model of your usual purchase practices (or perhaps that a purchase happens to match a model of typical fraudulent activity). It’s always better to have models that suspect a bit too much as fraud and identify the majority of fraudulent activity than to have models that let fraudulent activity go unnoticed.

No Big Deal

I wasn’t nervous since I’ve received phone calls for “false positives” before and my card was safe in my wallet. (Although there are certinly a multitude of ways to steal the card info without having the card.) This time it turned out that these models had detected activity from a few hours before that was indeed fraudulent.

My Card Details Had Been Stolen

Someone had used my credit card info in attempts to purchase an iPod Touch from ($254), something from ($151), and some sort of web service from ($99). It was at that point (or perhaps on the next purchase) that Wells Fargo froze the card and started trying to contact me. I think I was told a foreign purchase had been rejected and was what had triggered the system. In any event, I wasn’t too worried since the card had been used as a credit card and I was not going to be liable for any of the purchases.

Getting Help From the Retailers

I called Apple’s customer service first and after haggling with the first person I spoke with to help her understand the $254 purchase was not an iTunes purchase and to not transfer me to that division, Apple verified that the transaction had already been cancelled thanks to my bank’s work. Apple told me what had been purchased as well as the name, email, address, and phone number that had been used on the purchase.

Walmart wasn’t so helpful. I understand the reasoning behind their policies, but I was not as impressed as I had been with Apple. Walmart verified that the purchase had indeed been cancelled by my bank already. They would not provide any details of the shipping name or address, in order to protect my identity. Obviously the name and address that would have been used was not mine, but I understand that someone else could possibly be calling in posing as me. I would have to file a police report and the police would have to contact Walmart in order to obtain that information. has no real US presence from what I could tell and does not provide a telephone number for support or customer service. That charge was simply credited back to my account by my bank instead of never passing through the “pending” stage.

Verified by Visa

When my replacement card came, it was time to pay the cell phone bill, so I went online to do that. As I was going through the payment process, the Verified by Visa box came up as usual, and I thought, “Hmm, maybe I should actually set that up this time.” I had always skipped that step, opting not to sign up. I suppose if I had set that up with the first card, I may have avoided the fraudulent charges.

Failure to Encourage Strong Passwords

As I was going through the process, I was surprised at the directions for the password I was supposed to create. The password could only be 6 to 8 characters, with no punctuation. While 8 characters might be okay, it’s an artificial cap that limits the security of the password (generally more characters leads toward a stronger password). The exclusion of punctuation also artificially limits the security of the password. It reminded me of when I first signed up for Wells Fargo online banking while I was in high school and they limited the length of the password to 8 or so characters. (My favorite thing there was that if you typed the first 8 characters correctly you could then fill in the box with random characters and you’d still get in.)

My favorite suggestion from Visa, however, was the suggestion to write the password down. What? Isn’t that like the first rule of password security–don’t write it down? Very interesting. You’d think banks and financial institutions would be on the more strict side regarding password requirements. (Check out this story of how Chase requires its customers to ignore common sense in submitting claims about fraud.) I guess Visa’s decision was based more on benefiting itself than its customers since it has to pay for fraudulent activity. Lower password regulations means more people sign up and they will have fewer fraudulent transactions to cover.